your user is set to UTC in the Splunk GUI, correct? click the username dropdown (top right of your screen) > Account Settings > Set timezone
With my user set in UTC, I see these events at 3AM GMT in my Time field....is that what you are trying to achieve? Note the time in the event has not changed, just the Time field now has a local conversion in the gui.
can you please collect the output of ./splunk btool props list sched --debug on your forwarder and your indexer? ( not sure of your setup, I think you said forwarder)
you have the sched sourcetype updated in both a forwarder and indexer, correct?
`[splunker@n00bserver bin]$ ./splunk btool props list sched --debug
/home/splunker/splunk/etc/apps/search/local/props.conf [sched]
.........
/home/splunker/splunk/etc/apps/search/local/props.conf TIME_FORMAT = %Y-%m-%d %H:%M:%S,%f
/home/splunker/splunk/etc/apps/search/local/props.conf TIME_PREFIX = ^
/home/splunker/splunk/etc/system/default/props.conf TRANSFORMS =
/home/splunker/splunk/etc/system/default/props.conf TRUNCATE = 10000
/home/splunker/splunk/etc/apps/search/local/props.conf TZ = Brazil/East
........
`
Brasil event time, UTC Splunk web user, splunker sitting in Canada 😉
... View more